Following the introduction of GDPR in May 2018, initial reports showed that data breach complaints increased by 160%. This alarming rate indicates how critical it is to ensure staff receive comprehensive GDPR training and understand the key aspects of GDPR fines.
The past few years have seen massive GDPR fines handed out to firms. Here's a breakdown of the top penalties from 2018 to 2024.
Top 20 GDPR breach fines
- Meta Platforms Ireland Ltd. - €1.2bn fine (2023)
- Amazon Europe - €746m fine (2021)
- Meta Platforms, Inc. - €405m fine (2022)
- Meta Platforms Ireland Ltd. - €390m fine (2023)
- TikTok Ltd - €345m fine (2023)
- Uber - €290m fine (2024)
- Meta Platforms Ireland Limited - €265m fine (2022)
- WhatsApp Ireland - €225m fine (2021)
- Enel Energia SpA - €79.1m fine (2024)
- Google Inc - €50m fine (2019)
- Criteo - €40m fine (2023)
- H&M - €35.3m fine (2020)
- Amazon France Logistique - €32m fine (2024)
- TIM - €27.8m fine (2020)
- British Airways - €22m fine (2020)
- Clearview AI Inc. - €20m fine (2022)
- Marriott International - €20m fine (2020)
- Meta Platforms Ireland Ltd. - €17m fine (2022)
- Wind Tre - €16.7m fine (2020)
- Deutsche Wohnen – €14.5m fine (2019)
In 2023, approximately €2.1 billion in fines were imposed in the EU due to violations of GDPR. The biggest 20 GDPR fines from the past five years reveal some key takeaways.
Firstly, 2021 recorded two heavyweights in terms of penalty amounts. The fines dished out to Amazon Europe and WhatsApp Ireland are in a league of their own, at least for their time.
It appears that either fines are getting steeper or the breaches are becoming more serious with time. After a year of relatively low fines in 2019, the following two years saw some hefty penalties.
In recent times, 2022 and 2023 have a near-even split, although 2023 has seen the largest GDPR fine ever issued and has three of the top five all-time fines. Uber's €290m fine in 2024 sits just outside of the top 5 all-time biggest penalties.
We continuously track the largest GDPR penalties each year. If you're interested in the full details, have a look at the all-time biggest ICO fines below the most recent fines in 2024.
The 20 biggest GDPR fines in detail
1. Meta Platforms Ireland Ltd. - €1.2bn fine (2023)
GDPR breaches - Art. 46 (1)
Ireland's Data Protection Commission (DPC) found Meta to be in violation of GDPR international transfer guidelines. The record-breaking fine of €1.2bn was issued to Facebook's parent company after it mishandled personal data when transferring it between Europe and the United States (US).
At the heart of the breach is Meta's transfer of data to the US on the basis of standard contractual clauses since 2020. This is the only valid way to transfer data between the EU and the US, provided there is an adequate level of data protection, which Meta failed to provide.
In addition to the fine, Meta has been ordered to bring its data transfers into compliance with the GDPR. Meta has stated that it will appeal this decision.
2. Amazon Europe - €746m fine (2021)
GDPR breaches - Non-compliance with general data processing principles
In 2021, Luxembourg's National Commission for Data Protection (CNPD) fined Amazon Europe a record-breaking €746 million in respect of how it uses customer data for targeted advertising purposes.
In 2018, the French privacy rights group La Quadrature du Net submitted a complaint.
The complaint - which also targeted Apple, Facebook, Google and LinkedIn - was filed on behalf of more than 10,000 customers. It alleged that Amazon had manipulated customers for commercial means by choosing what advertising and information they received.
The CNPD ruled that Amazon must commit to changing its business practices.
3. Meta Platforms, Inc. - €405m fine (2022)
GDPR breaches - Art. 5 (1) a), c), Art. 6 (1), Art. 12 (1), Art. 24, Art. 25 (1), (2), Art. 35
The Data Protection Commission (DPC) issued a fine to Meta Platforms Ireland Ltd. (Instagram) of €405m, which includes a fine of €20m for the infringement of Article 6(1). This is one of the all-time biggest GDPR fines. An inquiry into the company investigated the processing of personal data of child users on the social networking service Instagram.
The DPC conducted a thorough investigation and submitted a draft decision to all peer regulators in the EU. After they couldn't reach a consensus, the case was referred to the European Data Protection Board ("EDPB"). In the end, the DPC's original recommended fine amount was imposed, and the DPC issued a reprimand to the company with an order requiring specified specific remedial actions.
4. Meta Platforms Ireland Ltd. - €390m fine (2023)
GDPR breaches - Art. 5 (1) a), Art. 6 (1), Art. 12, Art. 13 (1) c)
Meta Platforms Ireland Ltd. makes a second appearance for the year with a €390m fine for requesting to use people's data for ads on Facebook and Instagram in an unlawful manner. The regulator states that Meta cannot force consent by asking consumers to accept how their data is used or leave the platform.
During the investigation, the Irish Data Protection Commission (DPC) also found that Meta was not clear enough about how and why it would use a user's data.
5. TikTok Ltd - €345m fine (2023)
GDPR breaches - Art. 5 (1) c), 5 (1) f), Art. 12 (1), Art. 13 (1) e), Art. 24 (1), Art. 25 (1), (2)
Irish Data Protection Commissioner (DPC) has fined TikTok €345m for breaching a number of GDPR rules, including putting 13-17-year-old users' accounts on default public settings.
This failure to shield underage users from public view was coupled with not supplying these users with transparent information and not checking if the adult who 'paired' with the child in the 'family pairing' scheme was, in fact, a parent or guardian.
Furthermore, the DPC found that TikTok didn't take into account the risk posed to underage users who gained access to the platform.
6. Uber - €290m fine (2024)
GDPR breaches - Art. 44
Uber has been fined €290 million ($324 million) by the Dutch data protection authority (DPA) for illegally transferring European taxi drivers' personal data to the U.S., violating EU regulations.
Although Uber has since stopped this practice, the company disagrees with the fine, calling it "unjustified" and plans to appeal, arguing their data transfer process was GDPR-compliant. The investigation began after a complaint from a French human rights organisation.
The appeals process could take up to four years, with fines on hold until all legal options are exhausted. Earlier this year, Uber was fined €10 million for similar privacy violations.
7. Meta Platforms Ireland Limited - €265m fine (2022)
GDPR breaches - Art. 25 (1), (2)
Meta Platforms Ireland Limited (MPIL), the data controller of the Facebook social media network, has been issued a fine of €265m along with corrective measures. This is one of the largest fines since the beginning of GDPR.
The inquiry began after reports that a collated dataset of Facebook personal data was made available on the internet. The main issues in the inquiry involved questions of compliance with the GDPR obligation for Data Protection by Design and Default.
After a comprehensive investigation, the DPC found MPIL in breach of Articles 25(1) and 25(2) GDPR, and the supervisory authorities agreed with the final decision.
8. WhatsApp Ireland - €225m fine (2021)
GDPR breaches - Articles 5, 12, 13, 14
Ireland's data authority fined WhatsApp £193m in 2021 for violating privacy standards. It's the highest penalty the Irish Data Protection Commission (DPC) has ever imposed and the second-highest under EU GDPR standards.
A 2018 investigation revealed that WhatsApp was not transparent enough with its customers on how it collected, managed and processed their data. Following "a lengthy and comprehensive investigation," the Irish DPC said it had communicated its decision to other regulators, as required under GDPR law, and had received complaints from eight countries, including Germany, France, and Italy.
9. Enel Energia SpA - €79.1m fine (2024)
GDPR breaches - Art. 5 (1) f), Art. 5 (2), Art. 24 (1), Art. 25, Art. 28, Art. 32
The Italian data protection authority, the Garante, issued its largest GDPR fine of over €79 million against ENEL Energia for telemarketing misconduct. This follows the cancellation of a previous €26.5 million fine due to procedural delays.
The Garante criticised ENEL Energia for not implementing adequate measures to prevent telemarketing abuses but acknowledged the company's efforts to improve security.
The regulator found that Enel Energia violated GDPR Articles 5(1)(f) and 32 by failing to properly assess risks associated with its CRM interface and not implementing adequate measures to secure access credentials, preventing their sharing. This oversight allowed unauthorised agency employees to access and process personal data within Enel Energia's contractual system.
10. Google Inc - €50m fine (2019)
GDPR breaches - Articles 4, 5, 6, 13, 14
In one of the most high-profile cases of 2019, the French data regulator (CNIL) fined Google an astounding €50 million.
The fine was for a "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". Ad personalisation information was diluted throughout several documents, hindering users from knowing their full extent.
Additionally, the choice to receive personalised ads was "pre-ticked" upon opening a new account, directly defying the GDPR.
11. Criteo - €40m fine (2023)
GDPR breaches - Art. 7 (1), (3), Art. 12, Art. 13, Art. 15 (1), Art. 17 (1), Art. 26
French Data Protection Authority (CNIL) has fined Criteo, an online advertising specialist, €40 million in response to complaints from non-profit organisations Privacy International and None of Your Business (NOYB).
CNIL's decision cites Criteo's failure to ensure that its partners, such as publishers, obtained user consent for using Criteo's cookies. Although partners are primarily responsible for obtaining consent from users, CNIL still holds Criteo responsible for verifying this consent.
The €40 million penalty amounts to approximately 2% of the company's global revenue, reduced from an initial proposal of €60 million by CNIL rapporteurs.
12. H&M - €35.3m fine (2020)
GDPR breaches - Articles 5, 6
In 2020, the Data Protection Authority in Hamburg fined H&M €35m for the illegal surveillance of its employees.
After employees took a holiday or sick leave, they had to attend a return-to-work meeting. The company recorded some of these meetings, and the data was accessible to over 50 H&M managers.
This resulted in the company keeping "excessive" records on its workforce's families, religions, and illnesses at its Nuremberg service centre. The company then used the data to help evaluate employees' performance and make decisions about their employment.
13. Amazon France Logistique - €32m fine (2024)
GDPR breaches - Art. 5 (1) c), Art. 6, Art. 12, Art. 13, Art. 32
Amazon France Logistique has been fined €32m by the French Data Protection Authority (CNIL) for its excessively intrusive monitoring system of employee activity. In addition to this, the company was penalised for video surveillance processing and the failure to ensure the security of personal data.
The company oversees the management of Amazon's large warehouses in France. Employees are equipped with scanners to track tasks like item storage, retrieval, and packaging in real-time.
Data from these scans is recorded and utilised to assess employee performance, including metrics on productivity, quality, and downtime. After media reports raised concerns about warehouse practices, the CNIL conducted investigations prompted by both media coverage and employee complaints.
The watchdog concluded that Amazon did not require access to the minor data captured by these scanners to plan work in its warehouses. In addition to not properly informing workers about video surveillance and the system being extremely intrusive, it was found that this put undue stress on its workforce.
14. TIM - €27.8m fine (2020)
GDPR breaches - Articles 5, 6, 7, 17, 21, 32
Italian data protection regulator Garante fined telecoms provider TIM €27.8 million in 2020 for its cavalier approach to telemarketing and other GDPR breaches.
First, it sent out hundreds of thousands of unsolicited communications without the consent of data subjects who were on with the "opt-out" register or were exercising their right not to receive marketing. In one case, it contacted a single individual 155 times over a month!
Second, the privacy notices for TIM apps and promotions were not transparent, and it was unclear why they would use the data. Consent was also incorrectly managed and often invalid - with a single consent used for multiple purposes.
Data retention was also excessive - sometimes exceeding the 10-year time frame required by law and the five-year company policy.
15. British Airways - €22m fine (2020)
GDPR breaches - Article 5(1), 32
The ICO fined British Airways €22m in 2020 after failing to protect the personal data of more than 400,000 customers.
The investigation found that the airline was processing a significant amount of personal data without adequate security measures. This failure broke data protection regulations, and subsequently, BA was the subject of a cyberattack in 2018, which it did not detect for more than two months.
The attacker potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Other details the attacker accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. Usernames and passwords of BA employee and administrator accounts, as well as usernames and PINs of up to 612 BA Executive Club accounts, were also potentially accessed.
Initially, British Airways was fined an eye-watering £183m for its GDPR failings in July 2019. However, this was reduced to €22m due to the economic impact of COVID-19.
16. Clearview AI Inc. - €20m fine (2022)
GDPR breaches - Art. 5 (1) a), b), e), Art. 6, Art. 9, Art. 12, Art. 13, Art. 14, Art. 15, Art. 27
The facial recognition firm Clearview AI has been fined €20m by Italy's data protection agency for breaches of EU law. Upon investigation, the authorities found that the personal data the company holds is processed illegally. This data includes biometric and geolocation information.
Furthermore, the company was found to be in breach of transparency obligations since they had neglected to inform users of what they were doing with their selfies and using user data for purposes other than what was published online.
17. Marriott International - €20m fine (2020)
GDPR breach - Article 32
Marriott International Inc. failed to keep millions of customers' personal data secure, with 339 million guest records worldwide believed to have been affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack remained undetected until September 2018, when Marriott acquired the company.
The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests' VIP status and loyalty programme membership number. Although this is a large fine, it is significantly less than the fine of £99m that the Information Commissioner's Office (ICO) initially issued.
18. Meta Platforms Ireland Ltd. - €17m fine (2022)
GDPR breaches - Art. 5 (2), Art. 24 (1)
The Data Protection Commission (DPC) imposed a fine of €17m on Meta Platforms. An investigation into the company formerly known as Facebook Ireland Ltd found that they failed to have appropriate technical and organisational measures in place.
This meant that they could not readily demonstrate the security measures that it implemented in practice to protect EU users' data. This is in the context of twelve personal data breaches.
19. Wind Tre - €16.7m fine (2020)
GDPR breaches - Articles 5, 6, 12, 24, 25
Garante, the Italian data protection authority, issued a €16.7 million fine against Wind Tre in 2020 for several unlawful data processing activities concerning direct marketing practices.
Following an extensive investigation, Garante discovered that hundreds of complainants received unsolicited communications sent without their previous consent through SMS, email, phone calls, and automated calls. They were also unable to exercise their right to withdraw consent and oppose the processing for direct marketing purposes.
Claimants' data was published on public telephone lists despite their opposition. In addition to this, Garante found that Wind Tre's apps 'MyWind' and 'My3' required users to provide their consent for different processing activities with every access. They were only allowed to withdraw their “consent” after a 24-hour window.
20. Deutsche Wohnen – €14.5m fine (2019)
GDPR breaches - Article 5/25
One of Germany's most prominent real estate companies, Deutsche Wohnen, was issued a €14.5 million fine in 2019, which was the largest in the country since the GDPR came into effect.
According to the Data Protection Authority of Berlin, the company didn't comply with general data processing principles. Personal data that the company should have erased years ago was still accessible to employees.
The fine was originally meant to be almost twice as large at €28 million. However, the Berlin Commissioner considered that the company cooperated immediately and attempted to fix the issues. Because no other data abuses occurred, they lowered the fine.
Top ICO Fines Issued
Before the introduction of the GDPR, the ICO could issue fines capped at £500k. The limitation on the fine amount meant that large global organisations were unlikely to feel the impact of the penalty. The ICO now has the power to issue companies a fine equaling 4% of their annual turnover.
Over the years, the ICO has handed out some of the biggest penalties for data breaches where companies have failed to protect customer data. From 2020 to 2021, the ICO issued a record amount of £42m in fines issued, which is a 1580% increase from the previous year.
Here are some of the biggest fines the ICO has issued:
- British Airways - £20m fine (2020)
- Marriott Hotels - £18.4m fine (2020)
- TikTok - £12.7m (2023)
- Clearview AI - £7.5m fine (2022)
- Ticketmaster - £1.25m fine (2018)
- Cabinet Office - £500k fine (2021)
- Doorstep Dispensaree Ltd. (Pharmacy) - £275k fine (2019)
Infamous pre-GDPR data breaches
Yahoo
Yahoo currently wears the crown for the biggest data breach of the 21st century. In September 2016, the internet giant revealed that its 2014 data breach had compromised the personal data of 500 million users. Later that year, another breach from 2013 came to light that had compromised 1 billion accounts. That's one for every seven or eight people on the planet!
But the full extent of the multiple breaches was not acknowledged until October 2017, when Yahoo's new owner, Verizon, discovered it was not 1 billion accounts that had been compromised in 2013, but 3 billion accounts! That's every single account under the Yahoo name, including Flickr and Tumblr.
The breaches knocked a huge chunk off Yahoo's sale price - to the tune of $350 million. Having once been valued at $100 billion, Verizon paid just $4.48 billion for the core internet business. In October last year, Yahoo agreed to pay $50 million in damages- of which half will be paid by Verizon and the other by Altaba, Inc. (Yahoo changed its name to Altaba after the sale of its core business).
But what would have happened if this breach had taken place post-GDPR?
Of course, the scope of the breach was significant. But, what would have been crucial today was that Yahoo didn’t disclose the extent of the breach within 72 hours as the GDPR requires. And with revenue in excess of $4 billion for the year 2012/2013, Yahoo would have faced an $80 million fine, or potentially as much as $160 million!
Facebook, now known as Meta, was slapped with a £500,000 fine for its role in the well-documented Cambridge Analytica scandal. The information of 87 million Facebook users was improperly shared with the political consultancy through a quiz that collected data from participants and their friends.
Facebook was found guilty of allowing application developers access to user information without sufficient consent, failing to make suitable checks to secure personal information, and not taking action once the misuse of data was discovered.
Equifax
Equifax was fined £500,000 after failing to protect the personal information of up to 15 million UK customers during a cyber attack. Hackers stole personal data, including names, dates of birth, addresses, passwords, driving licences and financial details. The company had retained data for longer than necessary, making it vulnerable to unauthorised access.
The systems compromised were actually based in the US, but because the UK branch failed to ensure its American parent was protecting UK customers, the ICO was forced to issue the fine.
GDPR fines FAQs
- What is the maximum fine for a GDPR breach?
The General Data Protection Regulation (GDPR) stipulates that the maximum fine for a GDPR breach can be substantial. Organisations found in violation of the GDPR may face fines of up to €20 million or 4% of their global annual revenue, whichever is higher. In the British pound sterling, this amount is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. - Is the amount of a GDPR fine based on company size?
The amount of a GDPR fine is not explicitly based on the size of the company but rather on the severity and nature of the data protection violation. While the GDPR does take into account the annual global turnover of a company as a factor in determining the fine, it does not prescribe fines solely based on the size of the organisation.
The supervisory authorities assess various aspects of the breach, such as the nature of the infringement, the number of individuals affected, the measures taken to mitigate the damage, and the degree of cooperation with regulatory authorities. Larger companies with higher annual revenues may face larger fines, but the primary focus is on ensuring a proportionate and deterrent penalty that reflects the seriousness of the violation. - Can individuals be fined under GDPR?
Under the GDPR, individuals themselves generally cannot be fined for data protection violations. The GDPR primarily focuses on regulating the behaviour of organisations and entities that process personal data. Penalties and fines are typically imposed on businesses, government agencies, and other entities that fail to comply with the GDPR's provisions.
However, it's essential to note that individuals within organisations, such as data controllers or processors, may face personal liability if they are directly responsible for a data protection breach or if they negligently or intentionally fail to adhere to the GDPR requirements. In such cases, those individuals may be subject to the enforcement of legal action or penalties.
The GDPR is designed to hold organisations accountable for protecting individuals' personal data, but it also emphasises the responsibility and accountability of key personnel within those organisations to ensure compliance and safeguard the privacy and rights of data subjects.
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.